No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).



Hierarchy of VPN (HoVPN) is a multi-layer VPN architecture that deploys PE functions on multiple PE devices. In this architecture, multiple PE devices play different roles and fulfill the functions of one PE. HoVPN is also called hierarchy of PE (HoPE).


As key devices on a BGP/MPLS IP VPN network, PE devices provide must provide a large number of interfaces for user access, and provide large-capacity memory and high forwarding capabilities to manage and advertise VPN routes, and process user packets.

Most networks use typical hierarchical architecture. For example, a MAN uses a three-layer architecture consisting of the core, aggregation, and access layers. From the core layer to the access layer, the requirements for device performance decreases, but the network scale increases.

BGP/MPLS IP VPN uses a plane model, which has the same performance requirement for all the PE devices. If some PE devices do not provide high performance or scalability, the entire network is affected.

Because the plane model of BGP/MPLS IP VPN is different from the typical hierarchical architecture, deployment of new PE devices at each layer is difficult due to low scalability. This plane model hinders large-scale VPN deployment. The HoVPN solution is developed to address this issue.

In the HoVPN model, devices at higher layers must have high routing and forwarding capabilities, whereas devices at lower layers can have lower capabilities.


  • HoVPN architecture
    Figure 7-24  HoVPN architecture

    As shown in Figure 7-24, the devices directly connected to user devices are called underlayer PE or user-end PE (UPE) devices. The device that is deployed within the backbone network and connected to UPE devices is called a superstratum PE or service provider-end PE (SPE) device.

    Multiple UPE devices and an SPE device form a hierarchy of PE and provide functions of a traditional PE device.

  • Relationship between the UPE and SPE

    • The UPE device provides user access. It maintains routes of directly connected VPN sites, but does not maintain routes of remote VPN sites or only maintains summarized routes of remote VPN sites. Each UPE device assigns an inner label to routes of directly connected sites and uses MP-BGP to advertise the label with the VPN routes to the SPE device.

    • The SPE device manages and advertises VPN routes. It maintains all the routes of the VPN sites connected through the UPE devices, including routes of local and remote sites. However, the SPE does not advertise routes of remote sites to the UPE devices. Instead, it advertises only default routes of VPN instances with labels.

    • The UPE and SPE devices use label forwarding. The SPE device uses only one interface to connect to each UPE device and does not need to provide many interfaces for access users. An UPE device can connect to the SPE device through a physical interface, a sub-interface, or a tunnel interface. If a tunnel interface is used, the UPE and SPE devices can communicate across an IP or MPLS network. Labeled packets are transmitted between the UPE and SPE devices through a tunnel. If a GRE tunnel is used, GRE must support encapsulation of MPLS packets.

      As an SPE device and a UPE device play different roles, requirements for them are different:

      • An SPE device has a large routing table, high forwarding performance, but few interfaces.
      • A UPE device has a small routing table, low forwarding performance, and high access capabilities.

      A PE device is a SPE device for a lower-layer PE device and is a UPE device for an upper-layer PE device.

      An HoPE can coexist with common PE devices on an MPLS network.


    If a UPE device and an SPE device belong to the same AS, MP-BGP running between them is MP-IBGP. If they belong to different ASs, MP-BGP running between them is MP-EBGP.

    When MP-IBGP is used, an SPE device can function as an RR of multiple UPE devices to advertise routes between the IBGP peers. To reduce the number of routes on the UPE devices, do not use the SPE as an RR for other PE devices.

    A UPE device can connect to multiple SPE devices. This networking is called UPE multi-homing. In this networking, the SPE devices advertise the VRF default routes to the UPE device. The UPE device selects one route as the optimal route or selects multiple routes to perform load balancing. The UPE device advertises all the VPN routes to the SPE devices or advertises some of VPN routes to each SPE to implement load balancing.

  • Label operation in HoVPN

    Figure 7-25 shows an example of label operation in HoVPN. In this example, an LSP tunnel is set up between the SPE and PE devices.

    Figure 7-25  Label operation in HoVPN

    • CE1 → CE2 (marked by the black line)

      • After receiving a packet from CE1, the UPE device adds an inner label to the packet and forwards the packet to the SPE device.

      • After receiving the labeled packet, the SPE device swaps the inner label, adds an outer LSP label to the packet, and sends the packet to the PE device.

      • After the packet arrives at the previous hop of the PE device, this hop pops the outer LSP label. The process is called penultimate hop popping.

      • After the PE device receives the packet, it pops the inner label.

    • CE2 → CE1 (marked by the blue line)

      • After receiving a packet from CE2, the PE device adds an inner label and an outer LSP label to the packet, and then forwards the packet to the SPE device.

      • After the packet arrives at the previous hop of the SPE device, this hop pops the outer LSP label.

      • The SPE device swaps the inner label for a new one and forwards the packet to the UPE device.

      • After the UPE device receives the packet, it pops the inner label.

  • HoVPN embedding and extension

    HoVPN supports HoPE embedding.
    • An HoPE can function as a UPE device and compose a new HoPE with an SPE device.

    • An HoPE can function as an SPE device and compose a new HoPE with multiple UPE devices.

    • HoPEs can be embedded multiple times in the preceding two modes.

    HoPE embedding can infinitely extend a VPN.

    Figure 7-26  HoPE embedding

    Figure 7-26 shows a three-layer HoPE, and the PE device in the middle is called the middle-level PE (MPE) device. MP-BGP runs between the SPE and MPE devices, and between the MPE and UPE devices.


    Actually, the MPE device does not exist in an HoVPN model. The concept is used just for the convenience of description.

    MP-BGP advertises all the VPN routes of the UPE devices to the SPE device, but advertises only the default VPN routes of the SPE device to the UPE devices.

    The SPE device maintains the routes of all VPN sites connected to the PE devices, whereas the UPE devices maintain only the VPN routes of the directly connected VPN sites. The quantities of routes maintained by the SPE, MPE, and UPE devices are in descending order.

Advantages of HoVPN

The HoVPN model has the following advantages:

  • A BGP/MPLS IP VPN network can be divided into different hierarchies. If the performance of UPE devices does not satisfy service requirements, an SPE device can be added above UPE devices. When access capabilities of an SPE device are insufficient, UPE devices can be added below the SPE device.

  • Label forwarding is performed between UPE and SPE devices. Therefore, a UPE device and an SPE device are interconnected through only a pair of interfaces or sub-interfaces. This saves interface resources.

  • If a UPE device and an SPE device are separated by an IP or MPLS network, they can set up a GRE or LSP tunnel. A layered MPLS VPN has enhanced scalability.

  • The UPE devices maintain only the local VPN routes, and all the remote routes are represented by a default or summarized route. This reduces loads on the UPE devices.

  • SPE and UPE devices use MP-BGP to exchange routes and advertise labels. Each UPE device sets up only one MP-BGP peer, reducing the protocol cost and configuration workload.

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142582

Downloads: 359

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next